OPS02-BP01 Resources have identified owners

Resources for your workload must have identified owners for change control, troubleshooting, and other functions. Owners are assigned for workloads, accounts, infrastructure, platforms, and applications. Ownership is recorded using tools like a central register or metadata attached to resources. The business value of components informs the processes and procedures applied to them.

Desired outcome:

• Resources have identified owners using metadata or a central register.

• Team members can identify who owns resources.

• Accounts have a single owner where possible.

Common anti-patterns:

• The alternate contacts for your AWS accounts are not populated.

• Resources lack tags that identify what teams own them.

• You have an ITSM queue without an email mapping.

• Two teams have overlapping ownership of a critical piece of infrastructure.

Benefits of establishing this best practice:

• Change control for resources is straightforward with assigned ownership.

• You can involve the right owners when troubleshooting issues.

Level of risk exposed if this best practice is not established: High

Implementation guidance

Define what ownership means for the resource use cases in your environment. Ownership can mean who oversees changes to the resource, supports the resource during troubleshooting, or who is financially accountable. Specify and record owners for resources, including name, contact information, organization, and team.

Customer example

AnyCompany Retail defines ownership as the team or individual that owns changes and support for resources. They leverage AWS Organizations to manage their AWS accounts. Alternate account contacts are configuring using group inboxes. Each ITSM queue maps to an email alias. Tags identify who own AWS resources. For other platforms and infrastructure, they have a wiki page that identifies ownership and contact information.

Implementation steps

1. Start by defining ownership for your organization. Ownership can imply who owns the risk for the resource, who owns changes to the resource, or who supports the resource when troubleshooting. Ownership could also imply financial or administrative ownership of the resource.

2. Use AWS Organizations to manage accounts. You can manage the alternate contacts for your accounts centrally.

   1. Using company owned email addresses and phone numbers for contact information helps you to access them even if the individuals whom they belong to are no longer with your organization. For example, create separate email distribution lists for billing, operations, and security and configure these as Billing, Security, and Operations contacts in each active AWS account. Multiple people will receive AWS notifications and be able to respond, even if someone is on vacation, changes roles, or leaves the company.

   2. If an account is not managed by AWS Organizations, alternate account contacts help AWS get in contact with the appropriate personnel if needed. Configure the account's alternate contacts to point to a group rather than an individual.

3. Use tags to identify owners for AWS resources. You can specify both owners and their contact information in separate tags.

   1. You can use AWS Config rules to enforce that resources have the required ownership tags.

   2. For in-depth guidance on how to build a tagging strategy for your organization, see AWS Tagging Best Practices whitepaper.

4. Use Amazon Q Business, a conversational assistant that uses generative AI to enhance workforce productivity, answer questions, and complete tasks based on information in your enterprise systems.

   1. Connect Amazon Q Business to your company's data source. Amazon Q Business offers prebuilt connectors to over 40 supported data sources, including Amazon Simple Storage Service (Amazon S3), Microsoft SharePoint, Salesforce, and Atlassian Confluence. For more information, see Amazon Q Business connectors.

5. For other resources, platforms, and infrastructure, create documentation that identifies ownership. This should be accessible to all team members.

Level of effort for the implementation plan: Low. Leverage account contact information and tags to assign ownership of AWS resources. For other resources you can use something as simple as a table in a wiki to record ownership and contact information, or use an ITSM tool to map ownership.

Resources

Related best practices:

• OPS02-BP02 Processes and procedures have identified owners

• OPS02-BP04 Mechanisms exist to manage responsibilities and ownership

Related documents:

• AWS Account Management - Updating contact information

• AWS Organizations - Updating alternative contacts in your organization

• AWS Tagging Best Practices whitepaper

• Build private and secure enterprise generative AI apps with Amazon Q Business and AWS IAM Identity Center

• Amazon Q Business, now generally available, helps boost workforce productivity with generative AI

• AWS Cloud Operations & Migrations Blog - Implementing automated and centralized tagging controls with AWS Config and AWS Organizations

• AWS Security Blog - Extend your pre-commit hooks with AWS CloudFormation Guard

• AWS DevOps Blog - Integrating AWS CloudFormation Guard into CI/CD pipelines

Related workshops:

• AWS Workshop - Tagging

Related examples:

• AWS Config Rules - Amazon EC2 with required tags and valid values

Related services:

• AWS Config Rules - required-tags

• AWS Organizations